2871ff
# For the curious:
2871ff
# 0.9.8jk + EAP-FAST soversion = 8
2871ff
# 1.0.0 soversion = 10
2871ff
# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols
2871ff
#                        depends on build configuration options)
2871ff
# 3.0.0 soversion = 3 (same as upstream)
2871ff
%define soversion 3
2871ff
2871ff
# Arches on which we need to prevent arch conflicts on opensslconf.h, must
2871ff
# also be handled in opensslconf-new.h.
2871ff
%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64
2871ff
22d461
%define srpmhash() %{lua:
22d461
local files = rpm.expand("%_specdir/openssl.spec")
22d461
for i, p in ipairs(patches) do
22d461
   files = files.." "..p
22d461
end
22d461
for i, p in ipairs(sources) do
22d461
   files = files.." "..p
22d461
end
22d461
local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum"))
22d461
local hash = sha256sum:read("*a")
22d461
sha256sum:close()
22d461
print(string.sub(hash, 0, 16))
22d461
}
22d461
2871ff
%global _performance_build 1
2871ff
2871ff
Summary: Utilities from the general purpose cryptography library with TLS implementation
2871ff
Name: openssl
1ac26c
Version: 3.0.7
1ac26c
Release: 5%{?dist}
2871ff
Epoch: 1
2871ff
# We have to remove certain patented algorithms from the openssl source
2871ff
# tarball with the hobble-openssl script which is included below.
2871ff
# The original openssl upstream tarball cannot be shipped in the .src.rpm.
1ac26c
Source: openssl-%{version}-hobbled.tar.gz
2871ff
Source1: hobble-openssl
2871ff
Source2: Makefile.certificate
2871ff
Source3: genpatches
2871ff
Source6: make-dummy-cert
2871ff
Source7: renew-dummy-cert
2871ff
Source9: configuration-switch.h
2871ff
Source10: configuration-prefix.h
2871ff
Source12: ec_curve.c
2871ff
Source13: ectest.c
6ed7c9
Source14: 0025-for-tests.patch
2871ff
2871ff
# Patches exported from source git
2871ff
# Aarch64 and ppc64le use lib64
2871ff
Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch
2871ff
# Use more general default values in openssl.cnf
2871ff
Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch
2871ff
# Do not install html docs
2871ff
Patch3: 0003-Do-not-install-html-docs.patch
2871ff
# Override default paths for the CA directory tree
2871ff
Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch
2871ff
# apps/ca: fix md option help text
2871ff
Patch5: 0005-apps-ca-fix-md-option-help-text.patch
2871ff
# Disable signature verification with totally unsafe hash algorithms
2871ff
Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch
2871ff
# Add support for PROFILE=SYSTEM system default cipherlist
2871ff
Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch
2871ff
# Add FIPS_mode() compatibility macro
2871ff
Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch
2871ff
# Add check to see if fips flag is enabled in kernel
6ed7c9
Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch
2871ff
# remove unsupported EC curves
2871ff
Patch11: 0011-Remove-EC-curves.patch
f57b16
# Disable explicit EC curves
22d461
# https://bugzilla.redhat.com/show_bug.cgi?id=2066412
f57b16
Patch12: 0012-Disable-explicit-ec.patch
2871ff
# Instructions to load legacy provider in openssl.cnf
2871ff
Patch24: 0024-load-legacy-prov.patch
6ed7c9
# Tmp: test name change
6ed7c9
Patch31: 0031-tmp-Fix-test-names.patch
6ed7c9
# We load FIPS provider and set FIPS properties implicitly
6ed7c9
Patch32: 0032-Force-fips.patch
6ed7c9
# Embed HMAC into the fips.so
6ed7c9
Patch33: 0033-FIPS-embed-hmac.patch
6ed7c9
# Comment out fipsinstall command-line utility
6ed7c9
Patch34: 0034.fipsinstall_disable.patch
6f4837
# Skip unavailable algorithms running `openssl speed`
6f4837
Patch35: 0035-speed-skip-unavailable-dgst.patch
22d461
# Extra public/private key checks required by FIPS-140-3
22d461
Patch44: 0044-FIPS-140-3-keychecks.patch
a74baf
# Minimize fips services
a74baf
Patch45: 0045-FIPS-services-minimize.patch
a74baf
# Execute KATS before HMAC verification
a74baf
Patch47: 0047-FIPS-early-KATS.patch
f57b16
# Selectively disallow SHA1 signatures
f57b16
Patch49: 0049-Selectively-disallow-SHA1-signatures.patch
f57b16
# https://bugzilla.redhat.com/show_bug.cgi?id=2049265
f57b16
Patch50: 0050-FIPS-enable-pkcs12-mac.patch
f57b16
# Backport of patch for RHEL for Edge rhbz #2027261
f57b16
Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch
f57b16
# Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes
f57b16
Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch
1ac26c
# Originally from https://github.com/openssl/openssl/pull/18103
1ac26c
# As we rebased to 3.0.7 and used the version of the function
1ac26c
# not matching the upstream one, we have to use aliasing.
1ac26c
# When we eliminate this patch, the `-Wl,--allow-multiple-definition`
1ac26c
# should also be removed
22d461
Patch56: 0056-strcasecmp.patch
22d461
# https://bugzilla.redhat.com/show_bug.cgi?id=2053289
22d461
Patch58: 0058-FIPS-limit-rsa-encrypt.patch
22d461
# https://bugzilla.redhat.com/show_bug.cgi?id=2069235
22d461
Patch60: 0060-FIPS-KAT-signature-tests.patch
22d461
# https://bugzilla.redhat.com/show_bug.cgi?id=2087147
22d461
Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch
22d461
Patch62: 0062-fips-Expose-a-FIPS-indicator.patch
1ac26c
# https://bugzilla.redhat.com/show_bug.cgi?id=2130708
1ac26c
# https://github.com/openssl/openssl/pull/18883
1ac26c
Patch67: 0067-ppc64le-Montgomery-multiply.patch
22d461
# https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c
22d461
# https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd
22d461
Patch71: 0071-AES-GCM-performance-optimization.patch
22d461
# https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149
22d461
# https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa
22d461
# hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447
22d461
Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch
22d461
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
22d461
Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch
22d461
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
22d461
Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch
22d461
# https://bugzilla.redhat.com/show_bug.cgi?id=2102535
22d461
Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch
22d461
# Downstream only. Reseed DRBG using getrandom(GRND_RANDOM)
22d461
# https://bugzilla.redhat.com/show_bug.cgi?id=2102541
22d461
Patch76: 0076-FIPS-140-3-DRBG.patch
22d461
# https://bugzilla.redhat.com/show_bug.cgi?id=2102542
22d461
Patch77: 0077-FIPS-140-3-zeroization.patch
22d461
# https://bugzilla.redhat.com/show_bug.cgi?id=2114772
22d461
Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch
1ac26c
#https://bugzilla.redhat.com/show_bug.cgi?id=2141748
1ac26c
Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch
1ac26c
# https://bugzilla.redhat.com/show_bug.cgi?id=2142131
1ac26c
Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch
1ac26c
# https://bugzilla.redhat.com/show_bug.cgi?id=2141695
1ac26c
Patch82: 0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch
1ac26c
# https://bugzilla.redhat.com/show_bug.cgi?id=2136250
1ac26c
Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch
1ac26c
# https://bugzilla.redhat.com/show_bug.cgi?id=2137557
1ac26c
Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch
1ac26c
#https://bugzilla.redhat.com/show_bug.cgi?id=2142121
1ac26c
Patch85: 0085-FIPS-RSA-disable-shake.patch
1ac26c
# https://bugzilla.redhat.com/show_bug.cgi?id=2142087
1ac26c
Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch
1ac26c
# https://bugzilla.redhat.com/show_bug.cgi?id=2142087
1ac26c
Patch89: 0089-PSS-salt-length-from-provider.patch
1ac26c
# https://bugzilla.redhat.com/show_bug.cgi?id=2142087
1ac26c
Patch90: 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch
1ac26c
# https://bugzilla.redhat.com/show_bug.cgi?id=2144561
1ac26c
Patch91: 0091-FIPS-RSA-encapsulate.patch
1ac26c
# https://bugzilla.redhat.com/show_bug.cgi?id=2142517
1ac26c
Patch92: 0092-provider-improvements.patch
1ac26c
1ac26c
# OpenSSL 3.0.8 CVEs
1ac26c
Patch101: 0101-CVE-2022-4203-nc-match.patch
1ac26c
Patch102: 0102-CVE-2022-4304-RSA-time-oracle.patch
1ac26c
Patch103: 0103-CVE-2022-4450-pem-read-bio.patch
1ac26c
Patch104: 0104-CVE-2023-0215-UAF-bio.patch
1ac26c
Patch105: 0105-CVE-2023-0216-pkcs7-deref.patch
1ac26c
Patch106: 0106-CVE-2023-0217-dsa.patch
1ac26c
Patch107: 0107-CVE-2023-0286-X400.patch
1ac26c
Patch108: 0108-CVE-2023-0401-pkcs7-md.patch
2871ff
2871ff
License: ASL 2.0
2871ff
URL: http://www.openssl.org/
a74baf
BuildRequires: gcc g++
2871ff
BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp
2871ff
BuildRequires: lksctp-tools-devel
2871ff
BuildRequires: /usr/bin/rename
2871ff
BuildRequires: /usr/bin/pod2man
2871ff
BuildRequires: /usr/sbin/sysctl
2871ff
BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt)
2871ff
BuildRequires: perl(Module::Load::Conditional), perl(File::Temp)
2871ff
BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA)
2871ff
BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint)
2871ff
BuildRequires: git-core
2871ff
Requires: coreutils
2871ff
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
2871ff
2871ff
%description
2871ff
The OpenSSL toolkit provides support for secure communications between
2871ff
machines. OpenSSL includes a certificate management tool and shared
2871ff
libraries which provide various cryptographic algorithms and
2871ff
protocols.
2871ff
2871ff
%package libs
2871ff
Summary: A general purpose cryptography library with TLS implementation
2871ff
Requires: ca-certificates >= 2008-5
2871ff
Requires: crypto-policies >= 20180730
2871ff
2871ff
%description libs
2871ff
OpenSSL is a toolkit for supporting cryptography. The openssl-libs
2871ff
package contains the libraries that are used by various applications which
2871ff
support cryptographic algorithms and protocols.
2871ff
2871ff
%package devel
2871ff
Summary: Files for development of applications which will use OpenSSL
2871ff
Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release}
2871ff
Requires: pkgconfig
2871ff
2871ff
%description devel
2871ff
OpenSSL is a toolkit for supporting cryptography. The openssl-devel
2871ff
package contains include files needed to develop applications which
2871ff
support various cryptographic algorithms and protocols.
2871ff
2871ff
%package perl
2871ff
Summary: Perl scripts provided with OpenSSL
2871ff
Requires: perl-interpreter
2871ff
Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
2871ff
2871ff
%description perl
2871ff
OpenSSL is a toolkit for supporting cryptography. The openssl-perl
2871ff
package provides Perl scripts for converting certificates and keys
2871ff
from other formats to the formats used by the OpenSSL toolkit.
2871ff
2871ff
%prep
6ed7c9
%autosetup -S git -n %{name}-%{version}
2871ff
2871ff
# The hobble_openssl is called here redundantly, just to be sure.
2871ff
# The tarball has already the sources removed.
2871ff
%{SOURCE1} > /dev/null
2871ff
2871ff
cp %{SOURCE12} crypto/ec/
2871ff
cp %{SOURCE13} test/
2871ff
2871ff
%build
2871ff
# Figure out which flags we want to use.
2871ff
# default
2871ff
sslarch=%{_os}-%{_target_cpu}
2871ff
%ifarch %ix86
2871ff
sslarch=linux-elf
2871ff
if ! echo %{_target} | grep -q i686 ; then
2871ff
	sslflags="no-asm 386"
2871ff
fi
2871ff
%endif
2871ff
%ifarch x86_64
2871ff
sslflags=enable-ec_nistp_64_gcc_128
2871ff
%endif
2871ff
%ifarch sparcv9
2871ff
sslarch=linux-sparcv9
2871ff
sslflags=no-asm
2871ff
%endif
2871ff
%ifarch sparc64
2871ff
sslarch=linux64-sparcv9
2871ff
sslflags=no-asm
2871ff
%endif
2871ff
%ifarch alpha alphaev56 alphaev6 alphaev67
2871ff
sslarch=linux-alpha-gcc
2871ff
%endif
2871ff
%ifarch s390 sh3eb sh4eb
2871ff
sslarch="linux-generic32 -DB_ENDIAN"
2871ff
%endif
2871ff
%ifarch s390x
2871ff
sslarch="linux64-s390x"
2871ff
%endif
2871ff
%ifarch %{arm}
2871ff
sslarch=linux-armv4
2871ff
%endif
2871ff
%ifarch aarch64
2871ff
sslarch=linux-aarch64
2871ff
sslflags=enable-ec_nistp_64_gcc_128
2871ff
%endif
2871ff
%ifarch sh3 sh4
2871ff
sslarch=linux-generic32
2871ff
%endif
2871ff
%ifarch ppc64 ppc64p7
2871ff
sslarch=linux-ppc64
2871ff
%endif
2871ff
%ifarch ppc64le
2871ff
sslarch="linux-ppc64le"
2871ff
sslflags=enable-ec_nistp_64_gcc_128
2871ff
%endif
2871ff
%ifarch mips mipsel
2871ff
sslarch="linux-mips32 -mips32r2"
2871ff
%endif
2871ff
%ifarch mips64 mips64el
2871ff
sslarch="linux64-mips64 -mips64r2"
2871ff
%endif
2871ff
%ifarch mips64el
2871ff
sslflags=enable-ec_nistp_64_gcc_128
2871ff
%endif
2871ff
%ifarch riscv64
2871ff
sslarch=linux-generic64
2871ff
%endif
2871ff
2871ff
# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
2871ff
# marked as not requiring an executable stack.
2871ff
# Also add -DPURIFY to make using valgrind with openssl easier as we do not
2871ff
# want to depend on the uninitialized memory as a source of entropy anyway.
2871ff
RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS"
2871ff
2871ff
export HASHBANGPERL=/usr/bin/perl
2871ff
22d461
%define fips %{version}-%{srpmhash}
2871ff
# ia64, x86_64, ppc are OK by default
2871ff
# Configure the build tree.  Override OpenSSL defaults with known-good defaults
2871ff
# usable on all platforms.  The Configure script already knows to use -fPIC and
2871ff
# RPM_OPT_FLAGS, so we can skip specifiying them here.
2871ff
./Configure \
2871ff
	--prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \
2871ff
	--system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \
2871ff
	zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \
2871ff
	enable-cms enable-md2 enable-rc5 enable-ktls enable-fips\
a74baf
	no-mdc2 no-ec2m no-sm2 no-sm4 enable-buildtest-c++\
1ac26c
	shared  ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\
1ac26c
	-Wl,--allow-multiple-definition
2871ff
2871ff
# Do not run this in a production package the FIPS symbols must be patched-in
2871ff
#util/mkdef.pl crypto update
2871ff
a74baf
make %{?_smp_mflags} all
2871ff
2871ff
# Clean up the .pc files
2871ff
for i in libcrypto.pc libssl.pc openssl.pc ; do
2871ff
  sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i
2871ff
done
2871ff
2871ff
%check
2871ff
# Verify that what was compiled actually works.
2871ff
2871ff
# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check
2871ff
(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \
2871ff
(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' &&
2871ff
 sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \
2871ff
 touch -r configdata.pm configdata.pm.new && \
2871ff
 mv -f configdata.pm.new configdata.pm)
2871ff
2871ff
# We must revert patch4 before tests otherwise they will fail
2871ff
patch -p1 -R < %{PATCH4}
6ed7c9
#We must disable default provider before tests otherwise they will fail
6ed7c9
patch -p1 < %{SOURCE14}
2871ff
2871ff
OPENSSL_ENABLE_MD5_VERIFY=
2871ff
export OPENSSL_ENABLE_MD5_VERIFY
f57b16
OPENSSL_ENABLE_SHA1_SIGNATURES=
f57b16
export OPENSSL_ENABLE_SHA1_SIGNATURES
2871ff
OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file
2871ff
export OPENSSL_SYSTEM_CIPHERS_OVERRIDE
6ed7c9
#embed HMAC into fips provider for test run
6ed7c9
LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac
6ed7c9
objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac
6ed7c9
mv providers/fips.so.mac providers/fips.so
6ed7c9
#run tests itself
2871ff
make test HARNESS_JOBS=8
2871ff
2871ff
# Add generation of HMAC checksum of the final stripped library
6ed7c9
# We manually copy standard definition of __spec_install_post
6ed7c9
# and add hmac calculation/embedding to fips.so
6ed7c9
%define __spec_install_post \
6ed7c9
    %{?__debug_package:%{__debug_install_post}} \
6ed7c9
    %{__arch_install_post} \
6ed7c9
    %{__os_install_post} \
6ed7c9
    LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
6ed7c9
    objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \
6ed7c9
    mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \
6ed7c9
    rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \
6ed7c9
%{nil}
2871ff
2871ff
%define __provides_exclude_from %{_libdir}/openssl
2871ff
2871ff
%install
2871ff
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT
2871ff
# Install OpenSSL.
2871ff
install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}}
2871ff
%make_install
2871ff
rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion}
2871ff
for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do
2871ff
	chmod 755 ${lib}
2871ff
	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`
2871ff
	ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion}
2871ff
done
2871ff
2871ff
# Remove static libraries
2871ff
for lib in $RPM_BUILD_ROOT%{_libdir}/*.a ; do
2871ff
	rm -f ${lib}
2871ff
done
2871ff
2871ff
# Install a makefile for generating keys and self-signed certs, and a script
2871ff
# for generating them on the fly.
2871ff
mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs
2871ff
install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate
2871ff
install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert
2871ff
install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert
2871ff
2871ff
# Move runable perl scripts to bindir
2871ff
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir}
2871ff
mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir}
2871ff
2871ff
# Rename man pages so that they don't conflict with other system man pages.
2871ff
pushd $RPM_BUILD_ROOT%{_mandir}
2871ff
mv man5/config.5ossl man5/openssl.cnf.5
2871ff
popd
2871ff
2871ff
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA
2871ff
mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private
2871ff
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs
2871ff
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl
2871ff
mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts
2871ff
2871ff
# Ensure the config file timestamps are identical across builds to avoid
2871ff
# mulitlib conflicts and unnecessary renames on upgrade
2871ff
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf
2871ff
touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf
2871ff
2871ff
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist
2871ff
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist
a74baf
#we don't use native fipsmodule.cnf because FIPS module is loaded automatically
2871ff
rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf
2871ff
2871ff
# Determine which arch opensslconf.h is going to try to #include.
2871ff
basearch=%{_arch}
2871ff
%ifarch %{ix86}
2871ff
basearch=i386
2871ff
%endif
2871ff
%ifarch sparcv9
2871ff
basearch=sparc
2871ff
%endif
2871ff
%ifarch sparc64
2871ff
basearch=sparc64
2871ff
%endif
2871ff
2871ff
# Next step of gradual disablement of SSL3.
2871ff
# Make SSL3 disappear to newly built dependencies.
2871ff
sed -i '/^\#ifndef OPENSSL_NO_SSL_TRACE/i\
2871ff
#ifndef OPENSSL_NO_SSL3\
2871ff
# define OPENSSL_NO_SSL3\
2871ff
#endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/opensslconf.h
2871ff
2871ff
%ifarch %{multilib_arches}
2871ff
# Do an configuration.h switcheroo to avoid file conflicts on systems where you
2871ff
# can have both a 32- and 64-bit version of the library, and they each need
2871ff
# their own correct-but-different versions of opensslconf.h to be usable.
2871ff
install -m644 %{SOURCE10} \
2871ff
	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h
2871ff
cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \
2871ff
	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h
2871ff
install -m644 %{SOURCE9} \
2871ff
	$RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h
2871ff
%endif
2871ff
2871ff
%files
2871ff
%{!?_licensedir:%global license %%doc}
2871ff
%license LICENSE.txt
2871ff
%doc NEWS.md README.md
2871ff
%{_bindir}/make-dummy-cert
2871ff
%{_bindir}/renew-dummy-cert
2871ff
%{_bindir}/openssl
2871ff
%{_mandir}/man1/*
2871ff
%{_mandir}/man5/*
2871ff
%{_mandir}/man7/*
2871ff
%{_pkgdocdir}/Makefile.certificate
2871ff
%exclude %{_mandir}/man1/*.pl*
2871ff
%exclude %{_mandir}/man1/tsget*
2871ff
2871ff
%files libs
2871ff
%{!?_licensedir:%global license %%doc}
2871ff
%license LICENSE.txt
2871ff
%dir %{_sysconfdir}/pki/tls
2871ff
%dir %{_sysconfdir}/pki/tls/certs
2871ff
%dir %{_sysconfdir}/pki/tls/misc
2871ff
%dir %{_sysconfdir}/pki/tls/private
2871ff
%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf
2871ff
%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf
2871ff
%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version}
2871ff
%{_libdir}/libcrypto.so.%{soversion}
2871ff
%attr(0755,root,root) %{_libdir}/libssl.so.%{version}
2871ff
%{_libdir}/libssl.so.%{soversion}
2871ff
%attr(0755,root,root) %{_libdir}/engines-%{soversion}
2871ff
%attr(0755,root,root) %{_libdir}/ossl-modules
2871ff
2871ff
%files devel
2871ff
%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el
2871ff
%{_prefix}/include/openssl
2871ff
%{_libdir}/*.so
2871ff
%{_mandir}/man3/*
2871ff
%{_libdir}/pkgconfig/*.pc
2871ff
2871ff
%files perl
2871ff
%{_bindir}/c_rehash
2871ff
%{_bindir}/*.pl
2871ff
%{_bindir}/tsget
2871ff
%{_mandir}/man1/*.pl*
2871ff
%{_mandir}/man1/tsget*
2871ff
%dir %{_sysconfdir}/pki/CA
2871ff
%dir %{_sysconfdir}/pki/CA/private
2871ff
%dir %{_sysconfdir}/pki/CA/certs
2871ff
%dir %{_sysconfdir}/pki/CA/crl
2871ff
%dir %{_sysconfdir}/pki/CA/newcerts
2871ff
2871ff
%ldconfig_scriptlets libs
2871ff
2871ff
%changelog
1ac26c
* Wed Feb 08 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-5
1ac26c
- Fixed X.509 Name Constraints Read Buffer Overflow
1ac26c
  Resolves: CVE-2022-4203
1ac26c
- Fixed Timing Oracle in RSA Decryption
1ac26c
  Resolves: CVE-2022-4304
1ac26c
- Fixed Double free after calling PEM_read_bio_ex
1ac26c
  Resolves: CVE-2022-4450
1ac26c
- Fixed Use-after-free following BIO_new_NDEF
1ac26c
  Resolves: CVE-2023-0215
1ac26c
- Fixed Invalid pointer dereference in d2i_PKCS7 functions
1ac26c
  Resolves: CVE-2023-0216
1ac26c
- Fixed NULL dereference validating DSA public key
1ac26c
  Resolves: CVE-2023-0217
1ac26c
- Fixed X.400 address type confusion in X.509 GeneralName
1ac26c
  Resolves: CVE-2023-0286
1ac26c
- Fixed NULL dereference during PKCS7 data verification
1ac26c
  Resolves: CVE-2023-0401
1ac26c
1ac26c
* Wed Jan 11 2023 Clemens Lang <cllang@redhat.com> - 1:3.0.7-4
1ac26c
- Disallow SHAKE in RSA-OAEP decryption in FIPS mode
1ac26c
  Resolves: rhbz#2142121
1ac26c
1ac26c
* Thu Jan 05 2023 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-3
1ac26c
- Refactor OpenSSL fips module MAC verification
1ac26c
  Resolves: rhbz#2157965
1ac26c
1ac26c
* Thu Nov 24 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-2
1ac26c
- Various provider-related imrovements necessary for PKCS#11 provider correct operations
1ac26c
  Resolves: rhbz#2142517
1ac26c
- We should export 2 versions of OPENSSL_str[n]casecmp to be compatible with upstream
1ac26c
  Resolves: rhbz#2133809
1ac26c
- Removed recommended package for openssl-libs
1ac26c
  Resolves: rhbz#2093804
1ac26c
- Adjusting include for the FIPS_mode macro
1ac26c
  Resolves: rhbz#2083879
1ac26c
- Backport of ppc64le Montgomery multiply enhancement
1ac26c
  Resolves: rhbz#2130708
1ac26c
- Fix explicit indicator for PSS salt length in FIPS mode when used with
1ac26c
  negative magic values
1ac26c
  Resolves: rhbz#2142087
1ac26c
- Update change to default PSS salt length with patch state from upstream 
1ac26c
  Related: rhbz#2142087
1ac26c
1ac26c
* Tue Nov 22 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.7-1
1ac26c
- Rebasing to OpenSSL 3.0.7
1ac26c
  Resolves: rhbz#2129063
1ac26c
1ac26c
* Mon Nov 14 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-44
1ac26c
- SHAKE-128/256 are not allowed with RSA in FIPS mode
1ac26c
  Resolves: rhbz#2144010
1ac26c
- Avoid memory leaks in TLS
1ac26c
  Resolves: rhbz#2144008
1ac26c
- FIPS RSA CRT tests must use correct parameters
1ac26c
  Resolves: rhbz#2144006
1ac26c
- FIPS-140-3 permits only SHA1, SHA256, and SHA512 for DRBG-HASH/DRBG-HMAC
1ac26c
  Resolves: rhbz#2144017
1ac26c
- Remove support for X9.31 signature padding in FIPS mode
1ac26c
  Resolves: rhbz#2144015
1ac26c
- Add explicit indicator for SP 800-108 KDFs with short key lengths
1ac26c
  Resolves: rhbz#2144019
1ac26c
- Add explicit indicator for HMAC with short key lengths
1ac26c
  Resolves: rhbz#2144000
1ac26c
- Set minimum password length for PBKDF2 in FIPS mode
1ac26c
  Resolves: rhbz#2144003
1ac26c
- Add explicit indicator for PSS salt length in FIPS mode
1ac26c
  Resolves: rhbz#2144012
1ac26c
- Clamp default PSS salt length to digest size for FIPS 186-4 compliance
1ac26c
  Related: rhbz#2144012
1ac26c
- Forbid short RSA keys for key encapsulation/decapsulation in FIPS mode
1ac26c
  Resolves: rhbz#2145170
1ac26c
1ac26c
* Tue Nov 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-43
1ac26c
- CVE-2022-3602: X.509 Email Address Buffer Overflow
1ac26c
- CVE-2022-3786: X.509 Email Address Buffer Overflow
1ac26c
  Resolves: CVE-2022-3602
1ac26c
1ac26c
* Wed Oct 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-42
1ac26c
- CVE-2022-3602: X.509 Email Address Buffer Overflow
1ac26c
  Resolves: CVE-2022-3602 (rhbz#2137723)
1ac26c
22d461
* Thu Aug 11 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-41
22d461
- Zeroize public keys as required by FIPS 140-3
1ac26c
  Related: rhbz#2102542
22d461
- Add FIPS indicator for HKDF
1ac26c
  Related: rhbz#2114772
22d461
22d461
* Fri Aug 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-40
22d461
- Deal with DH keys in FIPS mode according FIPS-140-3 requirements
1ac26c
  Related: rhbz#2102536
22d461
- Deal with ECDH keys in FIPS mode according FIPS-140-3 requirements
1ac26c
  Related: rhbz#2102537
22d461
- Use signature for RSA pairwise test according FIPS-140-3 requirements
1ac26c
  Related: rhbz#2102540
22d461
- Reseed all the parent DRBGs in chain on reseeding a DRBG
1ac26c
  Related: rhbz#2102541
22d461
22d461
* Mon Aug 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-39
22d461
- Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test
22d461
- Use Use digest_sign & digest_verify in FIPS signature self test
22d461
- Use FFDHE2048 in Diffie-Hellman FIPS self-test
1ac26c
  Resolves: rhbz#2102535
22d461
22d461
* Thu Jul 14 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-38
22d461
- Fix segfault in EVP_PKEY_Q_keygen() when OpenSSL was not previously
22d461
  initialized.
1ac26c
  Resolves: rhbz#2103289
22d461
- Improve AES-GCM performance on Power9 and Power10 ppc64le
1ac26c
  Resolves: rhbz#2051312
22d461
- Improve ChaCha20 performance on Power10 ppc64le
1ac26c
  Resolves: rhbz#2051312
22d461
22d461
* Tue Jul 05 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-37
22d461
- CVE-2022-2097: AES OCB fails to encrypt some bytes on 32-bit x86
22d461
  Resolves: CVE-2022-2097
22d461
22d461
* Thu Jun 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-36
22d461
- Ciphersuites with RSAPSK KX should be filterd in FIPS mode
1ac26c
- Related: rhbz#2085088
22d461
- FIPS provider should block RSA encryption for key transport.
22d461
- Other RSA encryption options should still be available if key length is enough
1ac26c
- Related: rhbz#2053289
22d461
- Improve diagnostics when passing unsupported groups in TLS
1ac26c
- Related: rhbz#2070197
22d461
- Fix PPC64 Montgomery multiplication bug
1ac26c
- Related: rhbz#2098199
22d461
- Strict certificates validation shouldn't allow explicit EC parameters
1ac26c
- Related: rhbz#2058663
22d461
- CVE-2022-2068: the c_rehash script allows command injection
1ac26c
- Related: rhbz#2098277
22d461
22d461
* Wed Jun 08 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-35
22d461
- Add explicit indicators for signatures in FIPS mode and mark signature
22d461
  primitives as unapproved.
1ac26c
  Resolves: rhbz#2087147
22d461
22d461
* Fri Jun 03 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-34
22d461
- Some OpenSSL test certificates are expired, updating
1ac26c
- Resolves: rhbz#2092456
22d461
22d461
* Thu May 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-33
22d461
- CVE-2022-1473 openssl: OPENSSL_LH_flush() breaks reuse of memory
1ac26c
- Resolves: rhbz#2089444
22d461
- CVE-2022-1343 openssl: Signer certificate verification returned
22d461
  inaccurate response when using OCSP_NOCHECKS
1ac26c
- Resolves: rhbz#2087911
22d461
- CVE-2022-1292 openssl: c_rehash script allows command injection
1ac26c
- Resolves: rhbz#2090362
22d461
- Revert "Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode"
1ac26c
  Related: rhbz#2087147
22d461
- Use KAT for ECDSA signature tests, s390 arch
1ac26c
- Resolves: rhbz#2069235
22d461
22d461
* Thu May 19 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-32
22d461
- `openssl ecparam -list_curves` lists only FIPS-approved curves in FIPS mode
1ac26c
- Resolves: rhbz#2083240
22d461
- Ciphersuites with RSA KX should be filterd in FIPS mode
1ac26c
- Related: rhbz#2085088
22d461
- In FIPS mode, signature verification works with keys of arbitrary size
22d461
  above 2048 bit, and only with 1024, 1280, 1536, 1792 bits for keys
22d461
  below 2048 bits
1ac26c
- Resolves: rhbz#2077884
22d461
22d461
* Wed May 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-31
22d461
- Disable SHA-1 signature verification in FIPS mode
22d461
- Disable EVP_PKEY_sign/EVP_PKEY_verify in FIPS mode
1ac26c
  Resolves: rhbz#2087147
22d461
22d461
* Mon May 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-30
22d461
- Use KAT for ECDSA signature tests
1ac26c
- Resolves: rhbz#2069235
22d461
22d461
* Thu May 12 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-29
22d461
- `-config` argument of openssl app should work properly in FIPS mode
1ac26c
- Resolves: rhbz#2083274
22d461
- openssl req defaults on PKCS#8 encryption changed to AES-256-CBC
1ac26c
- Resolves: rhbz#2063947
22d461
22d461
* Fri May 06 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-28
22d461
- OpenSSL should not accept custom elliptic curve parameters
1ac26c
- Resolves rhbz#2066412
22d461
- OpenSSL should not accept explicit curve parameters in FIPS mode
1ac26c
- Resolves rhbz#2058663
22d461
22d461
* Fri May 06 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-27
22d461
- Change FIPS module version to include hash of specfile, patches and sources
1ac26c
  Resolves: rhbz#2070550
22d461
22d461
* Thu May 05 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-26
22d461
- OpenSSL FIPS module should not build in non-approved algorithms
1ac26c
- Resolves: rhbz#2081378
22d461
22d461
* Mon May 02 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-25
22d461
- FIPS provider should block RSA encryption for key transport.
22d461
- Other RSA encryption options should still be available
22d461
- Resolves: rhbz#2053289
22d461
1ac26c
* Thu Apr 28 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-24
1ac26c
- Fix regression in evp_pkey_name2type caused by tr_TR locale fix
1ac26c
  Resolves: rhbz#2071631
22d461
1ac26c
* Wed Apr 20 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-23
1ac26c
- Fix openssl curl error with LANG=tr_TR.utf8
1ac26c
- Resolves: rhbz#2071631
22d461
1ac26c
* Mon Mar 28 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-22
1ac26c
- FIPS provider should block RSA encryption for key transport
1ac26c
- Resolves: rhbz#2053289
22d461
1ac26c
* Tue Mar 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-21
1ac26c
- Fix occasional internal error in TLS when DHE is used
1ac26c
- Resolves: rhbz#2004915
22d461
f57b16
* Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-20
f57b16
- Fix acceptance of SHA-1 certificates with rh-allow-sha1-signatures = yes when
f57b16
  no OpenSSL library context is set
1ac26c
- Resolves: rhbz#2065400
f57b16
f57b16
* Fri Mar 18 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-19
f57b16
- Fix TLS connections with SHA1 signatures if rh-allow-sha1-signatures = yes
1ac26c
- Resolves: rhbz#2065400
f57b16
f57b16
* Wed Mar 16 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-18
f57b16
- CVE-2022-0778 fix
1ac26c
- Resolves: rhbz#2062315
f57b16
1ac26c
* Thu Mar 10 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-17
f57b16
- Fix invocation of EVP_PKEY_CTX_set_rsa_padding(RSA_PKCS1_PSS_PADDING) before
f57b16
  setting an allowed digest with EVP_PKEY_CTX_set_signature_md()
1ac26c
- Skipping 3.0.1-16 due to version numbering confusion with the RHEL-9.0 branch
1ac26c
- Resolves: rhbz#2062640
f57b16
1ac26c
* Tue Mar 01 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-15
f57b16
- Allow SHA1 in SECLEVEL 2 if rh-allow-sha1-signatures = yes
1ac26c
- Resolves: rhbz#2060510
f57b16
f57b16
* Fri Feb 25 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-14
f57b16
- Prevent use of SHA1 with ECDSA
f57b16
- Resolves: rhbz#2031742
f57b16
f57b16
* Fri Feb 25 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-13
f57b16
- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
f57b16
- Resolves: rhbz#1977867
f57b16
f57b16
* Thu Feb 24 2022 Peter Robinson <pbrobinson@fedoraproject.org> - 1:3.0.1-12
f57b16
- Support KBKDF (NIST SP800-108) with an R value of 8bits
f57b16
- Resolves: rhbz#2027261
f57b16
f57b16
* Wed Feb 23 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-11
f57b16
- Allow SHA1 usage in MGF1 for RSASSA-PSS signatures
f57b16
- Resolves: rhbz#2031742
f57b16
f57b16
* Wed Feb 23 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-10
f57b16
- rebuilt
f57b16
f57b16
* Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-9
f57b16
- Allow SHA1 usage in HMAC in TLS
f57b16
- Resolves: rhbz#2031742
f57b16
f57b16
* Tue Feb 22 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-8
f57b16
- OpenSSL will generate keys with prime192v1 curve if it is provided using explicit parameters
f57b16
- Resolves: rhbz#1977867
f57b16
- pkcs12 export broken in FIPS mode
f57b16
- Resolves: rhbz#2049265
f57b16
f57b16
* Tue Feb 22 2022 Clemens Lang <cllang@redhat.com> - 1:3.0.1-8
f57b16
- Disable SHA1 signature creation and verification by default
f57b16
- Set rh-allow-sha1-signatures = yes to re-enable
f57b16
- Resolves: rhbz#2031742
f57b16
f57b16
* Thu Feb 03 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-7
f57b16
- s_server: correctly handle 2^14 byte long records
f57b16
- Resolves: rhbz#2042011
f57b16
f57b16
* Tue Feb 01 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-6
f57b16
- Adjust FIPS provider version
f57b16
- Related: rhbz#2026445
f57b16
a74baf
* Wed Jan 26 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-5
a74baf
- On the s390x, zeroize all the copies of TLS premaster secret
a74baf
- Related: rhbz#2040448
a74baf
a74baf
* Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-4
a74baf
- rebuilt
a74baf
a74baf
* Fri Jan 21 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.1-3
a74baf
- KATS tests should be executed before HMAC verification
a74baf
- Restoring fips=yes for SHA1
a74baf
- Related: rhbz#2026445, rhbz#2041994
a74baf
a74baf
* Thu Jan 20 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-2
a74baf
- Add enable-buildtest-c++ to the configure options.
a74baf
- Related: rhbz#1990814
a74baf
a74baf
* Tue Jan 18 2022 Sahana Prasad <sahana@redhat.com> - 1:3.0.1-1
a74baf
- Rebase to upstream version 3.0.1
a74baf
- Fixes CVE-2021-4044 Invalid handling of X509_verify_cert() internal errors in libssl
a74baf
- Resolves: rhbz#2038910, rhbz#2035148
a74baf
a74baf
* Mon Jan 17 2022 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-7
a74baf
- Remove algorithms we don't plan to certify from fips module
a74baf
- Remove native fipsmodule.cnf
a74baf
- Related: rhbz#2026445
a74baf
6f4837
* Tue Dec 21 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-6
6f4837
- openssl speed should run in FIPS mode
6f4837
- Related: rhbz#1977318
6f4837
cb528d
* Wed Nov 24 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-5
cb528d
- rebuilt for spec cleanup
cb528d
- Related: rhbz#1985362
cb528d
6ed7c9
* Thu Nov 18 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-4
6ed7c9
- Embed FIPS HMAC in fips.so
6ed7c9
- Enforce loading FIPS provider when FIPS kernel flag is on
cb528d
- Related: rhbz#1985362
6ed7c9
6ed7c9
* Thu Oct 07 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-3
6ed7c9
- Fix memory leak in s_client
6ed7c9
- Related: rhbz#1996092
6ed7c9
6ed7c9
* Mon Sep 20 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-2
6ed7c9
- Avoid double-free on error seeding the RNG.
6ed7c9
- KTLS and FIPS may interfere, so tests need to be tuned
6ed7c9
- Resolves: rhbz#1952844, rhbz#1961643
6ed7c9
6ed7c9
* Thu Sep 09 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-1
6ed7c9
- Rebase to upstream version 3.0.0
6ed7c9
- Related: rhbz#1990814
6ed7c9
2871ff
* Wed Aug 25 2021 Sahana Prasad <sahana@redhat.com> - 1:3.0.0-0.beta2.7
2871ff
- Removes the dual-abi build as it not required anymore. The mass rebuild
2871ff
  was completed and all packages are rebuilt against Beta version.
2871ff
- Resolves: rhbz#1984097
2871ff
2871ff
* Mon Aug 23 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 1:3.0.0-0.beta2.6
2871ff
- Correctly process CMS reading from /dev/stdin
2871ff
- Resolves: rhbz#1986315
2871ff
2871ff
* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.5
2871ff
- Add instruction for loading legacy provider in openssl.cnf
2871ff
- Resolves: rhbz#1975836
2871ff
2871ff
* Mon Aug 16 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.4
2871ff
- Adds support for IDEA encryption.
2871ff
- Resolves: rhbz#1990602
2871ff
2871ff
* Tue Aug 10 2021 Sahana Prasad <sahana@redhat.com> - 3.0.0-0.beta2.3
2871ff
- Fixes core dump in openssl req -modulus
2871ff
- Fixes 'openssl req' to not ask for password when non-encrypted private key
2871ff
  is used
2871ff
- cms: Do not try to check binary format on stdin and -rctform fix
2871ff
- Resolves: rhbz#1988137, rhbz#1988468, rhbz#1988137
2871ff
2871ff
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.beta2.2.1
2871ff
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
2871ff
  Related: rhbz#1991688
2871ff
2871ff
* Wed Aug 04 2021 Dmitry Belyavskiy <dbelyavs@redhat.com> - 3.0.0-0.beta2.2
2871ff
- When signature_algorithm extension is omitted, use more relevant alerts
2871ff
- Resolves: rhbz#1965017
2871ff
2871ff
* Tue Aug 03 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta2.1
2871ff
- Rebase to upstream version beta2
2871ff
- Related: rhbz#1903209
2871ff
2871ff
* Thu Jul 22 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.5
2871ff
- Prevents creation of duplicate cert entries in PKCS #12 files
2871ff
- Resolves: rhbz#1978670
2871ff
2871ff
* Wed Jul 21 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.4
2871ff
- NVR bump to update to OpenSSL 3.0 Beta1
2871ff
2871ff
* Mon Jul 19 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.3
2871ff
- Update patch dual-abi.patch to add the #define macros in implementation
2871ff
  files instead of public header files
2871ff
2871ff
* Wed Jul 14 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.2
2871ff
- Removes unused patch dual-abi.patch
2871ff
2871ff
* Wed Jul 14 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.beta1.1
2871ff
- Update to Beta1 version
2871ff
- Includes a patch to support dual-ABI, as Beta1 brekas ABI with alpha16
2871ff
2871ff
* Tue Jul 06 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.7
2871ff
- Fixes override of openssl_conf in openssl.cnf
2871ff
- Use AI_ADDRCONFIG only when explicit host name is given
2871ff
- Temporarily remove fipsmodule.cnf for arch i686
2871ff
- Fixes segmentation fault in BN_lebin2bn
2871ff
- Resolves: rhbz#1975847, rhbz#1976845, rhbz#1973477, rhbz#1975855
2871ff
2871ff
* Fri Jul 02 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.6
2871ff
- Adds FIPS mode compatibility patch (sahana@redhat.com)
2871ff
- Related: rhbz#1977318
2871ff
2871ff
* Fri Jul 02 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.5
2871ff
- Fixes system hang issue when booted in FIPS mode (sahana@redhat.com)
2871ff
- Temporarily disable downstream FIPS patches
2871ff
- Related: rhbz#1977318
2871ff
2871ff
* Fri Jun 11 2021 Mohan Boddu <mboddu@redhat.com> 3.0.0-0.alpha16.4
2871ff
- Speeding up building openssl (dbelyavs@redhat.com)
2871ff
  Resolves: rhbz#1903209
2871ff
2871ff
* Fri Jun 04 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.3
2871ff
- Fix reading SPKAC data from stdin
2871ff
- Fix incorrect OSSL_PKEY_PARAM_MAX_SIZE for ed25519 and ed448
2871ff
- Return 0 after cleanup in OPENSSL_init_crypto()
2871ff
- Cleanup the peer point formats on regotiation
2871ff
- Fix default digest to SHA256
2871ff
2871ff
* Thu May 27 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.2
2871ff
- Enable FIPS via config options
2871ff
2871ff
* Mon May 17 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha16.1
2871ff
- Update to alpha 16 version
2871ff
  Resolves: rhbz#1952901 openssl sends alert after orderly connection close
2871ff
2871ff
* Mon Apr 26 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha15.1
2871ff
- Update to alpha 15 version
2871ff
  Resolves: rhbz#1903209, rhbz#1952598, 
2871ff
2871ff
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:3.0.0-0.alpha13.1.1
2871ff
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
2871ff
2871ff
* Fri Apr 09 2021 Sahana Prasad <sahana@redhat.com> 3.0.0-0.alpha13.1
2871ff
- Update to new major release OpenSSL 3.0.0 alpha 13
2871ff
  Resolves: rhbz#1903209